Out-Law / Your Daily Need-To-Know

New tools sought for facilitating international data transfers between EU and Asia-Pacific

Out-Law News | 28 Mar 2013 | 10:27 am | 3 min. read

EU privacy watchdogs are working with countries from across the Asia-Pacific region in a bid to develop new "tools" that will make it easier for businesses to transfer personal data overseas.

The Article 29 Working Party, a committee made up of representatives from each EU national data protection authority, said that it was working with the Asia Pacific Economic Cooperation (APEC) – a group of 21 countries that includes Australia, Japan, Singapore and the US – in order to find a fit between two existing systems that govern data transfers in the regions.

In a joint statement the Working Party and APEC said that businesses may be able to obtain a "common referential" to have their international transfers across the EU and APEC regions approved as part of the new tools.

Current EU data protection laws prevent companies from sending personal data outside of the European Economic Area (EEA) except where adequate protections have been put in place or in circumstances where the destination country has been pre-approved as having adequate data protection. Only a handful of countries, including Argentina, Canada and Switzerland, have qualified as having adequate protection. The EEA includes all 27 EU member states, Iceland, Norway and Liechtenstein.

When a company wants to send personal data to other non-EEA countries, that company must ensure that adequate protections are in place, even when the transfer is from one group company to another. One mechanism open to companies to achieve those 'adequacy' standards is to put in place binding corporate rules (BCRs). Businesses that form BCRs agree legally-binding commitments with regulators over the transfer and processing of personal data outside of the EEA.

APEC countries operate a voluntary certified system that is also aimed at ensuring data protection standards are consistent when personal data is transferred out of one of the member economies to another.

The APEC Cross-Border Privacy Rules (CBPR) is a relatively new development and operates where businesses submit their plans for governing data transfers to 'Accountability Agents' that are responsible for assessing and ultimately certifying whether businesses meet the standards set out in the CBPR. Those rules contain base requirements that relate to how personal data is collected and use and how secure the information is, among other things.

Data protection expert Rosemary Lee of Pinsent Masons MPillay, the Singapore joint law venture partner of Pinsent Masons, the law firm behind Out-Law.com, said that work was ongoing in Singapore to establish its own regime on BCRs. However, she said that this would complement its efforts in helping to smooth arrangements for international data transfers between APEC and the EU.

"Singapore’s participation in the development of tools for the CBPR System runs parallel to its efforts to develop a BCR regime under Singapore’s new data protection regulations," Lee said.

New data protection laws, set out in the Personal Data Protection Act, are in the process of being brought into effect in stages in Singapore at the moment.

The Personal Data Protection Commission was formed when the Act came into force in January, but the main provisions relating to the collection, use, disclosure and processing of personal data in the private sector do not become operative until mid-2014. In addition, new regulations for ensuring equivalent data protection standards apply to transfers of personal data outside of Singapore are currently being consulted on.

"Whilst cross-border transfers of personal data may be dealt with by contractual means providing appropriate safeguards, Singapore is also considering having binding corporate rules to govern such transfer of personal data for inter-corporate transfers," Lee said. "The proposal is to have these internal rules specify details such as the structure of the organisation’s group and its members, the data transfers or set of transfers carried out and the mechanisms adopted within the group to ensure compliance"

"A primary impetus for adopting data protection law in Singapore is economic and this new data protection regime is intended to enhance Singapore’s reputation as an e-commerce and cloud computing hub," she added. "Many multinationals operate out of Singapore as an Asia-Pacific or South-east Asia base so it is a key concern to be able to facilitate and ease intra-group data transfers within Singapore's new data protection framework."

The Working Party and APEC said that they will look to flesh out a "roadmap" for developing the new international data transfer tools over the coming months.